Software & Supply Chain Attacks: Why Third-Party Vendors Are Becoming the Biggest Risk

According to the ENISA Threat Landscape 2024, attacks targeting the software and IT supply chain are among the most effective attack methods worldwide. The reason is simple: if an attacker cannot directly target a well-secured organization, they will target one of its suppliers—thereby affecting dozens of organizations at once. SolarWinds, Kaseya, MOVEit—the list is growing.

What is a supply chain attack?

Attackers compromise a supplier, software vendor, or managed service provider (MSP) and exploit their trusted access to the target organizations. The insidious part is that the affected companies have done everything “right.” The risk comes through trusted channels.

The most common attack vectors

• Compromised software updates: Malicious code is embedded in legitimate updates—users who update automatically are installing the malware without realizing it.
• MSPs as a gateway: MSPs have privileged access to customer systems. A compromised MSP is like a master key.
• Open-source libraries: Dependencies in software projects are being overwritten with malicious versions.
• Compromised build pipelines: CI/CD systems are being targeted to inject malicious code into the development process.

What companies can do specifically

• Create an inventory of all third-party providers with system access
• Include security requirements in contracts: certifications, audit rights
• The principle of least privilege also applies to external access
• Verifying Software Origins: Code Signing, Software Bills of Materials (SBOM)
• NIS-2: Supply chain security is explicitly mandatory

Axsos helps companies assess and secure their IT supply chain. Request a third-party risk analysis today.